Security at Mendral
Mendral is built to help teams run automation against their engineering workflows while protecting customer data. This page summarizes our security posture, operational practices, and how to contact us about security.
If you need a security questionnaire, DPA, or compliance materials, contact security@mendral.com
Compliance
SOC 2 Type II
Mendral has completed its SOC 2 Type II examination. The report is available to customers and prospects under NDA upon request through our Trust Center.
- Auditor: MJD Advisors, LLC
- Trust Services Criteria: Security. Availability. Confidentiality.
- Report period: October 15, 2025 to January 15, 2026
- Report issue date: January 26, 2026
Mendral maintains a continuous audit cycle. Our next examination period begins immediately following the prior report period, and we expect to issue updated reports on an annual basis.
Data handling
Customer code
- Mendral does not store customer source code as part of normal operation.
- Mendral may process customer code transiently in an isolated execution environment provided by Blaxel sandbox service.
- The sandbox environment is destroyed after it runs.
Logs and telemetry
- We store customer operational logs in ClickHouse Cloud for up to 3 months (approximately 90 days) to operate, secure, and troubleshoot the Service.
- After the retention period, logs are deleted or de-identified.
AI processing
- If the Service uses Anthropic to generate outputs, we may send limited inputs to Anthropic to perform that function.
- Anthropic is configured with Zero Data Retention per our settings.
Infrastructure and subprocessors
We use reputable vendors to operate the Service. These vendors may process customer data on our behalf under contractual restrictions.
Core vendors
- Google Cloud Platform (Cloud Run). Backend compute, networking, and storage. Primary region: us-east
- Vercel. Frontend hosting and delivery. Primary region: us-east
- ClickHouse Cloud. Log storage and querying
- PostHog Cloud. Product analytics
- WorkOS. Authentication and SSO
- Stripe. Billing and subscription management
- Blaxel sandbox service. Ephemeral sandbox execution
- Anthropic. AI model provider (Zero Data Retention configured)
Encryption
- In transit: We use TLS for data transmitted between clients, our Service, and our service providers.
- At rest: We rely on encryption-at-rest capabilities offered by our cloud and storage providers where applicable.]
Access control
- Access to production systems is limited to authorized personnel with a business need.
- We apply least-privilege access controls and review access periodically.
- Administrative access requires strong authentication.
- We maintain audit logs for key administrative actions.
Secure development practices
We aim to prevent vulnerabilities through disciplined engineering practices.
- Code review and change controls
- Dependency and vulnerability scanning
- Secrets management and rotation
- Environment separation (dev, staging, production)
- Security testing and periodic assessments
Incident response
We maintain an incident response process to investigate, contain, remediate, and communicate security events.
Reporting a security issue
- Email:
security@mendral.com
Customer notifications
- If we confirm a security incident affecting customer data, we will provide notifications consistent with our contractual and legal obligations.
Backups and disaster recovery
We maintain backups to support service continuity and disaster recovery.
Note. Data deleted from active systems may remain in backups until the retention period expires.
Customer responsibilities
Security is shared. Customers should:
- Use strong authentication and enforce MFA where possible
- Manage access using least privilege and remove inactive accounts promptly
- Avoid including secrets in any text inputs, logs, or prompts submitted to the Service
- Review organizational policies for code and data handling prior to enabling automation
Contact
For security questions or compliance requests: security@mendral.com